The CISO not reporting to the CIO discussion – another idea – maybe the Cs need a redo.

I have been a part of several discussion, posted articles, and responded to articles that talk about whom the CISO should report to.

First; let me state, the CISO should NOT report to the CIO. The CISO should report to the CEO/Board. The whys are another discussion and posted all over the Internet. This discussion is about something else.

Here is where I blow your collective minds; my proposed redo of the C-Suite as it pertains to security and IT. These all should independently report to the CEO/board, but be the best of friends.

CPO – Chief Privacy Officer – does what this officer already oversees, the privacy policies of the organization – most likely a lawyer

CDO – Chief Data Officer – oversees data, data usage, data analytics, and designates the classification of data

CTO – Chief Technology Officer – Is the IT officer, oversees the technology, network, infrastructure, data center, etc.

CAO – Chief Application Officer – oversees application development

CCO – Chief Compliance Officer – ensures C-suite adheres to regulations, laws, rules, and is also over the IS and IT audits, and Audit Director

CISO – Chief Information Security Officer, or we could use the CSO – Chief Security Officer, or even CCSO – Chief Cyber Security Officer – This leader oversees the security program, governance, operations, the whole Detect, Protect, Identify, Respond, and Recover process – Keep in mind the Security program enables and contributes to the success of all the other C-suites listed above. Without the security program the others are futile.

Look forward to your thoughts, comments, and additions


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.